Home Depot, the US home improvement retailer, has agreed to pay a settlement of $25 million for damages resulting from a breach in 2014 that exposed personal data including email and credit card details of more than 50 million customers.
Under the terms of the agreement, Home Depot must also improve cybersecurity implementation, including oversight of its vendors.
According to a company statement, hackers used a third-party vendor’s user name and password to enter its network’s perimeter, and then acquired elevated rights allowing them to navigate portions of the network and deploy unique, custom-built malware on its self-checkout systems.
A spokesman for the company said they were pleased to have moved through this phase of resolution.
Home Depot has already paid out some $134.5 million in compensation to card brands and financial institutions, as well as agreeing $19.5 million in compensation for affected customers.
Fortune reported the cost of the breach is currently running at around $179 million, based on figures in court documents; but that figure is expected to rise considerably factoring in legal fees and other charges.
Target’s high profile data breach was also blamed on criminals’ use of third party vendor credentials.
Cyber security experts have commented that the Target and Home Depot breaches both demonstrated the need for retailers to get a better grasp of who is being granted shared access to their networks, and to integrate systems along the supply chain.